Using Duo Universal Prompt

Overview
Available authentication methods
Using biometrics (Touch ID, Windows Hello, and Face ID)
Using Duo without phone service or wifi
Using Duo with org accounts
Additional resources

Overview

Beginning Jan 24, 2024, USC faculty and staff will see a redesigned Duo authentication prompt after entering a USC NetID and passphrase on the red Shibboleth SSO screen. This newer Duo authentication method is more secure but does differ in some ways from the previous method.

Duo mobile app

The most significant change is to the Duo mobile app authentication process: beginning Jan 24, the Duo prompt will show you a three-digit code. You will need to open the Duo mobile app on your device and enter that code into the app. This is a more secure method of login than the previous Duo push notification process.

Available authentication methods

The following Duo authentication methods are available for Duo Universal Prompt, listed in descending order from most secure to least secure:

Authentication method Description Biometrics (Touch ID, Windows Hello, Face ID)

Setup guide: Using biometrics (Touch ID, Windows Hello, and Face ID)
Recommended as the most secure method
Can be used offline (without phone service or an Internet connection)

Duo mobile Push notification

Setup guide: Adding and removing devices in Duo
Already the default authentication method for most people using Duo
As of Jan 24, USC faculty and staff need to enter a three-digit passcode from the Duo authentication screen into the Duo mobile app

YubiKey, D100 token, and other hardware tokens

Setup guide: Using a security token with Duo
Can be used offline (without phone service or an Internet connection)
Disadvantage: Can be more easily lost or misplaced due to small size, and must be physically connected to your device during use

Phone call or text message

Setup guide: Adding and removing devices in Duo
Disadvantage: Considered the least secure method

Default authentication method order

Duo will automatically select the most secure method. Refer to the table above for the order that Duo considers when selecting the default authentication method.

You can manually select Other options if you do not prefer Duo's default selected method.

Retired authentication methods

The following methods are no longer available:

You can no longer use the "Enter a Passcode" option with the Duo mobile app.
You can no longer have Duo text you a list of ten bypass codes for offline use.

Using biometrics (Touch ID, Windows Hello, and Face ID)

You can use biometrics for Duo authentication on supported devices:

Quick guide

Go to https://account.usc.edu/2fa/configure.
Do not complete Duo authentication when prompted. Instead, click Other options.
Click Manage devices.
Select a verification method and complete Duo authentication.
The Duo Device Management page displays. Click Add a device.
The options that display depend on your device:
- Mac: Click Touch ID.
- iPad or iPhone: Tap Face ID / Touch ID.
- Windows PC: Click Windows Hello.
- If you do not see any of these options, your device may not support fingerprint or facial recognition.
Click Continue.
Follow the prompts. Once you complete setup, the new option is added. The next time you sign into a USC service and receive the Duo authentication prompt, you can use this option.
- If you see the default "Open Duo Mobile" prompt, click Other options and then select Touch ID / Windows Hello.

Detailed guide (with screenshots)

Go to https://account.usc.edu/2fa/configure.
Do not complete Duo authentication when prompted. Instead, click Other options.
Click Manage devices.
Select a verification method and complete Duo authentication.
The Duo Device Management page displays. Click Add a device.
The options that display depend on your device:
- Mac: Click Touch ID.
- iPad or iPhone: Tap Face ID / Touch ID.
- Windows PC: Click Windows Hello.
- If you do not see any of these options, your device may not support fingerprint or facial recognition.
Click Continue.
Follow the prompts. Once you complete setup, the new option is added to your devices. The next time you sign into a USC service and receive the Duo authentication prompt, you can use this option.
- If you see the default "Open Duo Mobile" prompt, click Other options and then select Touch ID / Windows Hello.

Using Duo without phone service or wifi

If you are offline (for example, traveling out of the country without cellular service or wifi), make sure to set up one of the following methods beforehand, while you still have phone service or wifi:

Option 1 (recommended): Set up Touch ID, Windows Hello, or Face ID
Option 2: Request and activate a security token

Be aware that, while these options allow you to complete Duo authentication offline, many USC services do require an Internet connection for access.

Additionally, if you are traveling out of the country, please review this important guide from the Office of the Chief Information Security Officer (OCISO):

USC Information Security International Travel Guidance

Using Duo with org accounts

Org accounts using delegate access

If you use delegate access to sign into an org account, you will continue using your USC NetID and Duo authentication to sign in. Most Dornsife org accounts use delegate access to sign in.

Org accounts using direct access

If you have the org account's password and are signing in directly, the Duo authentication prompt asks you to select an authentication method. You can click the Device dropdown to filter the prompt options:

See the following setup guide for how to add authentication methods to an org account:

Using Duo Universal Prompt with shared org accounts

Additional resources

For further information, see these pages on the website of the Office of the Chief Information Security Officer (OCISO):